Hackers are increasingly focusing their malicious activity on social networking sites like Twitter, according to a new study of Web application security incidents.
Social networking sites were the most targeted vertical market in the first half of 2009, accounting for 19 percent of hacking incidents. The study, conducted by Breach Security, Inc., is part of the bi-annual Web Hacking Incidents Database (WHID) report, which only looks at publicly reported web application security attacks that have measurable outcome on an organization. Government and law enforcement sites were the top targets in 2008 but have dropped to number three.
Social networks are a "a target-rich environment if you count the number of users there," said Ryan Barnett, director of application security research for Breach Security, one of the report's sponsors, which also includes the Web Application Security Consortium.
Twitter has been attacked by several worms, and other social-networking platforms such as MySpace and Facebook have also been used to distribute malware. That's often done when an infected computer begins posting links on social-networking sites to other Web sites rigged with malicious software. Users click on the links since they trust their friends who posted the links, not knowing their friend has been hacked.
Barnett also told PCWorld that the WHID's data set, comprised of 44 hacking incidents, is small and "statistically insignificant" compared to the actual number of hacking incidents, but still shows an overall trend among hackers.
The WHID found that the number one motivation for hackers is defacing Web sites, either by planting malware or with standard overt changes. Leakage of sensitive information is a close second, and spreading disinformation is a distant third, mostly due to the hacking of celebrity online identities, the report said.
"The WHID report demonstrates that hackers can be fickle, following popular culture and trends to achieve the most visible effect for their efforts, which means that companies must be vigilant in implementing web application systems and monitoring application activity," Barnett said in a statement.